Zindikirani. transl.: Wolemba nkhaniyi, Reuven Harrison, ali ndi zaka zoposa 20 pakupanga mapulogalamu, ndipo lero ndi CTO ndi co-founder wa Tufin, kampani yomwe imapanga njira zothetsera ndondomeko za chitetezo. Ngakhale amawona Kubernetes mfundo za netiweki ngati chida champhamvu kwambiri pakugawa maukonde m'magulu, amakhulupiriranso kuti sizosavuta kugwiritsa ntchito. Izi (zochuluka kwambiri) cholinga chake ndikuwongolera kuzindikira kwa akatswiri pankhaniyi ndikuwathandiza kupanga masinthidwe ofunikira.
Masiku ano, makampani ambiri akusankha Kubernetes kuyendetsa mapulogalamu awo. Chidwi ndi pulogalamuyi ndichokwera kwambiri kotero kuti ena akutcha Kubernetes "kachitidwe katsopano ka malo opangira data." Pang'onopang'ono, Kubernetes (kapena k8s) akuyamba kuwoneka ngati gawo lofunika kwambiri la bizinesi, zomwe zimafuna kukhazikitsidwa kwa njira zamabizinesi okhwima, kuphatikiza chitetezo cha maukonde.
Kwa akatswiri achitetezo omwe amadabwitsidwa ndikugwira ntchito ndi Kubernetes, vumbulutso lenileni likhoza kukhala ndondomeko yosasinthika ya nsanja: lolani chilichonse.
Bukuli likuthandizani kumvetsetsa momwe ma network amagwirira ntchito; kumvetsetsa momwe amasiyanirana ndi malamulo a zozimitsa moto nthawi zonse. Idzakhudzanso zovuta zina ndikupereka malingaliro othandizira kuteteza mapulogalamu pa Kubernetes.
Kubernetes network policy
Njira ya Kubernetes network policy policy imakulolani kuti muzitha kuyang'anira kuyanjana kwa mapulogalamu omwe atumizidwa papulatifomu pa network network (yachitatu mu chitsanzo cha OSI). Ndondomeko zapaintaneti zilibe zina mwazinthu zapamwamba zamakhoma amakono, monga kukakamiza kwa OSI Layer 7 ndikuzindikira ziwopsezo, koma zimapereka gawo loyambira lachitetezo chapaintaneti chomwe ndi poyambira bwino.
Ndondomeko zapaintaneti zimayang'anira kulumikizana pakati pa ma pod
Zochulukira ku Kubernetes zimagawidwa m'mapoto, omwe amakhala ndi chidebe chimodzi kapena zingapo zomwe zimayikidwa palimodzi. Kubernetes amagawira pod iliyonse adilesi ya IP yomwe imapezeka kuchokera ku ma pod ena. Ndondomeko zapaintaneti za Kubernetes zimakhazikitsa ufulu wofikira magulu a pods monga momwe magulu achitetezo pamtambo amagwiritsidwira ntchito kuwongolera mwayi wopezeka pamakina enieni.
Kufotokozera Ma Network Policy
Monga zida zina za Kubernetes, mfundo zama network zimafotokozedwa mu YAML. Mu chitsanzo pansipa, ntchito balance kupeza postgres:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: balance
policyTypes:
- Ingress
(Zindikirani. transl.: chithunzichi, monga zina zonse zofananira, zidapangidwa osati kugwiritsa ntchito zida zakubadwa za Kubernetes, koma pogwiritsa ntchito chida cha Tufin Orca, chomwe chinapangidwa ndi kampani ya mlembi wa nkhani yoyambirira komanso yomwe yatchulidwa kumapeto kwa nkhaniyi.)
Kuti mumasulire mfundo zanu zapaintaneti, mudzafunika chidziwitso choyambirira cha YAML. Chilankhulochi chimachokera ku indentation (yofotokozedwa ndi mipata osati ma tabu). Chinthu cholowera mkati ndi cha chapafupi chomwe chili pamwamba pake. Mndandanda watsopano umayamba ndi hyphen, zinthu zina zonse zimakhala ndi mawonekedwe chinsinsi - mtengo.
Pambuyo pofotokoza mfundo mu YAML, gwiritsani ntchito kupanga mu cluster:
kubectl create -f policy.yamlMfundo za Network Policy
Mafotokozedwe a mfundo za Kubernetes network akuphatikiza zinthu zinayi:
-
podSelector: imatanthawuza ma pods omwe akhudzidwa ndi ndondomekoyi (zolinga) - zofunikira; -
policyTypes: imasonyeza kuti ndi mitundu yanji ya ndondomeko zomwe zikuphatikizidwa mu izi: ingress ndi / kapena egress - mwachisawawa, koma ndikupangira kufotokoza momveka bwino muzochitika zonse; -
ingress: amatanthauza kuloledwa akubwera magalimoto opita ku ma pod - mwasankha; -
egress: amatanthauza kuloledwa wotuluka kuchuluka kwa magalimoto kuchokera kumalo omwe mukufuna.
Chitsanzo chotengedwa patsamba la Kubernetes (ndinasintha role pa app), ikuwonetsa momwe zinthu zonse zinayi zimagwiritsidwira ntchito:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector: # <<<
matchLabels:
app: db
policyTypes: # <<<
- Ingress
- Egress
ingress: # <<<
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress: # <<<
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Chonde dziwani kuti zinthu zonse zinayi siziyenera kuphatikizidwa. Ndi kukakamizidwa kokha podSelector, magawo ena angagwiritsidwe ntchito monga momwe akufunira.
Ngati musiya policyTypes, ndondomekoyi idzatanthauziridwa motere:
- Mwachikhazikitso, zimaganiziridwa kuti zimatanthauzira mbali ya ingress. Ngati ndondomekoyi sinafotokoze izi momveka bwino, dongosololi lidzaganiza kuti magalimoto onse ndi oletsedwa.
- Khalidwe la mbali ya egress lidzatsimikiziridwa ndi kukhalapo kapena kusapezeka kwa parameter yofanana.
Kupewa zolakwika ndikupangira nthawi zonse muzifotokoza momveka bwino policyTypes.
Malinga ndi mfundo pamwamba, ngati magawo ingress ndi / kapena egress zosiyidwa, ndondomekoyi ikana magalimoto onse (onani "Stripping Rule" pansipa).
Mfundo yosasinthika ndiyololedwa
Ngati palibe ndondomeko zomwe zafotokozedwa, Kubernetes amalola magalimoto onse mwachisawawa. Ma pod onse amatha kusinthanitsa zidziwitso mwaufulu pakati pawo. Izi zitha kuwoneka ngati zosagwirizana ndi chitetezo, koma kumbukirani kuti Kubernetes adapangidwa poyambirira ndi opanga kuti azitha kugwiritsa ntchito bwino ntchito. Malamulo a netiweki adawonjezedwa pambuyo pake.
Malo a mayina
Namespaces ndi njira yolumikizirana ya Kubernetes. Amapangidwa kuti azilekanitsa malo omveka kuchokera kwa wina ndi mnzake, pomwe kulumikizana pakati pamipata kumaloledwa mwachisawawa.
Monga zigawo zambiri za Kubernetes, mfundo zapaintaneti zimakhala m'malo enaake. Mu block metadata mukhoza kufotokoza malo omwe ndondomekoyi ndi yake:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: my-namespace # <<<
spec:
...
Ngati namespace sichinatchulidwe mwatsatanetsatane mu metadata, dongosololi lidzagwiritsa ntchito dzina lotchulidwa mu kubectl (mwachisawawa namespace=default):
kubectl apply -n my-namespace -f namespace.yamlNdikupangira tchulani malo a mayina mwatsatanetsatane, pokhapokha mutalemba ndondomeko yomwe imayang'ana malo ambiri a mayina nthawi imodzi.
Waukulu chinthu podSelector mu ndondomekoyi idzasankha ma pods kuchokera kumalo omwe ndondomekoyi ili (ikuletsedwa kupeza ma pod kuchokera kumalo ena a mayina).
Mofananamo, podSelectors mu ingress ndi egress blocks atha kusankha ma pod kuchokera ku malo awoawo, pokhapokha mutaphatikiza nawo namespaceSelector (izi zidzakambidwa mu gawo "Zosefera ndi malo a mayina ndi ma pod").
Malamulo Otchula Malamulo
Mayina a ndondomeko ndi apadera m'malo amodzi. Sipangakhale ndondomeko ziwiri zokhala ndi dzina lomwelo mu malo amodzi, koma pangakhale ndondomeko zokhala ndi dzina lomwelo m'malo osiyanasiyana. Izi ndizothandiza mukafuna kugwiritsanso ntchito mfundo zomwezo m'malo angapo.
Ndimakonda kwambiri njira imodzi yotchulira mayina. Zimapangidwa ndi kuphatikiza dzina lamalo ndi malo omwe mukufuna. Mwachitsanzo:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres # <<<
namespace: default
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Zolemba
Mutha kuphatikizira zilembo zachikhalidwe ku zinthu za Kubernetes, monga ma pod ndi malo amazina. Zolemba (malemba - ma tag) ndi ofanana ndi ma tag mumtambo. Kubernetes network policy imagwiritsa ntchito zilembo kusankha matumbamomwe amagwirira ntchito:
podSelector:
matchLabels:
role: db... kapena malo a mayinakumene iwo akufunsira. Chitsanzochi chimasankha ma pod onse m'malo a mayina okhala ndi zilembo zofananira:
namespaceSelector:
matchLabels:
project: myproject
Chenjezo limodzi: mukamagwiritsa ntchito namespaceSelector onetsetsani kuti malo omwe mwasankha ali ndi zilembo zolondola. Dziwani kuti malo omangidwamo monga default ΠΈ kube-system, mwachisawawa mulibe zilembo.
Mutha kuwonjezera chizindikiro pamalo ngati awa:
kubectl label namespace default namespace=default
Pa nthawi yomweyo, namespace mu gawo metadata ayenera kutanthauza dzina lenileni la danga, osati chizindikiro:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # <<<
spec:
...Kochokera ndi kopita
Ndondomeko za firewall zimakhala ndi malamulo omwe ali ndi magwero ndi kopita. Ndondomeko za netiweki za Kubernetes zimatanthauzidwa ngati chandamale - seti ya ma pods omwe amawagwiritsa ntchito - kenako ndikukhazikitsa malamulo olowera ndi / kapena kutuluka. Mu chitsanzo chathu, chandamale cha ndondomekoyi chidzakhala ma pod onse mu malo a mayina default yokhala ndi makiyi app ndi mtengo db:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: db # <<<
policyTypes:
- Ingress
- Egress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Ndime ingress mu ndondomekoyi, imatsegula magalimoto omwe akubwera kumalo omwe mukufuna. Mwa kuyankhula kwina, ingress ndiye gwero ndipo chandamale ndi komwe akupita. Momwemonso, egress ndiye kopita ndipo chandamale ndiye gwero lake.
Izi zikufanana ndi malamulo awiri a firewall: Ingress β Target; Cholinga β Egress.
Egress ndi DNS (zofunika!)
Pochepetsa magalimoto otuluka, samalani kwambiri ndi DNS - Kubernetes amagwiritsa ntchito ntchitoyi polemba ma adilesi a IP. Mwachitsanzo, mfundo zotsatirazi sizigwira ntchito chifukwa simunalole kugwiritsa ntchito balance kupeza DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
policyTypes:
- Egress
Mutha kukonza potsegula mwayi wopeza ntchito ya DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to: # <<<
ports: # <<<
- protocol: UDP # <<<
port: 53 # <<<
policyTypes:
- Egress
Chomaliza to ilibe kanthu, chifukwa chake imasankha mwanjira ina mitundu yonse yamitundu yosiyanasiyana, kulola balance tumizani mafunso a DNS ku ntchito yoyenera ya Kubernetes (nthawi zambiri imayenda mumlengalenga kube-system).
Njira iyi imagwira ntchito, komabe wololera mopambanitsa ndi wosatetezeka, chifukwa imalola mafunso a DNS kuti awongoledwe kunja kwa tsango.
Mutha kuwongolera munjira zitatu zotsatizana.
1. Lolani mafunso a DNS okha mkati masango powonjezera namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: {} # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
2. Lolani mafunso a DNS mkati mwa dzina lokha kube-system.
Kuti muchite izi muyenera kuwonjezera chizindikiro ku malo a mayina kube-system: kubectl label namespace kube-system namespace=kube-system - ndi kulemba mu ndondomeko ntchito namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
egress:
- to:
- podSelector:
matchLabels:
app: postgres
- to:
- namespaceSelector: # <<<
matchLabels: # <<<
namespace: kube-system # <<<
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
3. Anthu osokonezeka amatha kupita patsogolo ndikuchepetsa mafunso a DNS ku ntchito inayake ya DNS kube-system. Gawo la "Zosefera ndi mayina NDI ma pod" lidzakuuzani momwe mungakwaniritsire izi.
Njira ina ndikuthetsa DNS pamlingo wa namespace. Pankhaniyi, sichidzafunika kutsegulidwa pa ntchito iliyonse:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.dns
namespace: default
spec:
podSelector: {} # <<<
egress:
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
policyTypes:
- Egress
Chopanda kanthu podSelector amasankha makadi onse mu malo maina.
Machesi oyamba ndi dongosolo la malamulo
Mu zozimitsa moto wamba, zochita (Lolani kapena Kukana) pa paketi zimatsimikiziridwa ndi lamulo loyamba lomwe limakwaniritsa. Ku Kubernetes, dongosolo la ndondomeko zilibe kanthu.
Mwachikhazikitso, ngati palibe ndondomeko zomwe zakhazikitsidwa, mauthenga pakati pa ma pod amaloledwa ndipo amatha kusinthanitsa zambiri mwaufulu. Mukangoyamba kupanga ndondomeko, poto iliyonse yomwe imakhudzidwa ndi imodzi mwa izo imakhala yokhayokha malinga ndi kusiyana (zomveka OR) za ndondomeko zonse zomwe zasankha. Ma pod omwe sanakhudzidwe ndi ndondomeko iliyonse amakhalabe otseguka.
Mutha kusintha izi pogwiritsa ntchito lamulo lovula.
Lamulo lochotsa ("Kukana")
Ndondomeko zozimitsa moto nthawi zambiri zimakana kuchuluka kwa magalimoto omwe saloledwa.
Palibe chotsutsa ku Kubernetes, komabe, zotsatira zofananazo zikhoza kupezedwa ndi ndondomeko yokhazikika (yololedwa) posankha gulu lopanda kanthu la ma pods (ingress):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
namespace: default
spec:
podSelector: {}
policyTypes:
- Ingress
Lamuloli limasankha ma pods onse omwe ali mu namespace ndikusiya ingress mosadziwika bwino, kukana magalimoto onse omwe akubwera.
Momwemonso, mutha kuletsa magalimoto onse omwe atuluka kuchokera pa dzina:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all-egress
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
Chonde dziwani kuti malamulo ena owonjezera omwe amalola kuchuluka kwa magalimoto m'malo a mayina adzakhala patsogolo kuposa lamuloli (zofanana ndi kuwonjezera lamulo lololeza musanayambe lamulo lokana mu kasinthidwe ka firewall).
Lolani Chilichonse (Chilichonse-Chilichonse-Chilichonse-Chololeza)
Kuti mupange ndondomeko ya Lolani Zonse, muyenera kuwonjezera ndondomeko ya Deny pamwamba ndi chinthu chopanda kanthu ingress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
namespace: default
spec:
podSelector: {}
ingress: # <<<
- {} # <<<
policyTypes:
- Ingress
Iwo amalola mwayi kuchokera ma pod onse m'malo onse a mayina (ndi IP onse) ku pod iliyonse mu malo a mayina default. Khalidweli limayatsidwa mwachisawawa, choncho nthawi zambiri silifunika kufotokozedwanso. Komabe, nthawi zina mungafunike kuyimitsa kwakanthawi zilolezo zina kuti muzindikire vutoli.
Lamulo likhoza kuchepetsedwa kuti lilole kupeza kokha gulu linalake la makoko (app:balance) mu dzina default:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-to-balance
namespace: default
spec:
podSelector:
matchLabels:
app: balance
ingress:
- {}
policyTypes:
- Ingress
Ndondomeko yotsatirayi imalola kuti magalimoto onse alowe ndi kutuluka, kuphatikizapo kupeza IP iliyonse kunja kwa gulu:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress
Kuphatikiza Malamulo Angapo
Ndondomeko zimaphatikizidwa pogwiritsa ntchito zomveka OR pamagulu atatu; Zilolezo za pod iliyonse zimayikidwa molingana ndi kusagwirizana kwa mfundo zonse zomwe zimakhudza:
1. M'minda from ΠΈ to Mitundu itatu ya zinthu imatha kufotokozedwa (zonsezo zimaphatikizidwa pogwiritsa ntchito OR):
-
namespaceSelector- amasankha dzina lonse; -
podSelector- amasankha makoswe; -
ipBlock- amasankha subnet.
Kuphatikiza apo, kuchuluka kwa zinthu (ngakhale zofanana) m'magawo from/to osati malire. Zonsezi zidzaphatikizidwa ndi zomveka OR.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
2. Mkati mwa gawo la ndondomeko ingress ikhoza kukhala ndi zinthu zambiri from (zophatikizidwa ndi zomveka OR). Mofananamo, gawo egress ikhoza kukhala ndi zinthu zambiri to (komanso kuphatikizidwa ndi disjunction):
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- from:
- podSelector:
matchLabels:
app: admin
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
3. Ndondomeko zosiyana zimaphatikizidwanso ndi zomveka OR
Koma powaphatikiza, pali malire amodzi : Kubernetes akhoza kungophatikiza ndondomeko ndi zosiyana policyTypes (Ingress kapena Egress). Ndondomeko zofotokozera kulowetsa (kapena egress) zidzalembana.
Mgwirizano pakati pa mayina
Mwachisawawa, kugawana zidziwitso pakati pa malo amaloledwa. Izi zitha kusinthidwa pogwiritsa ntchito mfundo yokana yomwe ingachepetse kuchuluka kwa magalimoto omwe atuluka komanso/kapena kulowa m'malo a mayina (onani "Stripping Rule" pamwambapa).
Mutatsekereza mwayi wopezeka pamalo a mayina (onani "Stripping Rule" pamwambapa), mutha kupanga zosiyana ndi lamulo lokanira polola kulumikizana ndi malo enaake pogwiritsa ntchito. namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: # <<<
matchLabels:
namespace: default
policyTypes:
- Ingress
Chifukwa chake, madontho onse amalowa m'magazi default adzakhala ndi mwayi wopeza ma pod postgres mu namespace database. Koma bwanji ngati mukufuna kutsegula mwayi postgres makadi enieni okha mu malo a mayina default?
Sefa ndi malo a mayina ndi ma pod
Mtundu wa Kubernetes 1.11 ndi wapamwamba umakupatsani mwayi wophatikiza ogwiritsa ntchito namespaceSelector ΠΈ podSelector pogwiritsa ntchito zomveka NDI. Zikuwoneka motere:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector:
matchLabels:
namespace: default
podSelector: # <<<
matchLabels:
app: admin
policyTypes:
- Ingress
Chifukwa chiyani izi zimatanthauziridwa kuti NDI NDI m'malo mwa nthawi zonse OR?
Zindikirani kuti podSelector sichimayamba ndi hyphen. Mu YAML izi zikutanthauza kuti podSelector ndi kuyimirira patsogolo pake namespaceSelector onetsani ku mndandanda womwewo. Chifukwa chake, amaphatikizidwa ndi zomveka NDI.
Powonjezera kalozera m'mbuyomu podSelector zidzapangitsa kuti pakhale mndandanda wazinthu zatsopano, zomwe zidzaphatikizidwa ndi zam'mbuyomo namespaceSelector pogwiritsa ntchito zomveka OR.
Kusankha mapodo okhala ndi chizindikiro m'malo onse a mayina, lowetsani opanda kanthu namespaceSelector:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: database.postgres
namespace: database
spec:
podSelector:
matchLabels:
app: postgres
ingress:
- from:
- namespaceSelector: {}
podSelector:
matchLabels:
app: admin
policyTypes:
- Ingress
Ma label angapo amalumikizana ndi I
Malamulo a firewall okhala ndi zinthu zingapo (makamu, ma network, magulu) amaphatikizidwa pogwiritsa ntchito zomveka OR. Lamulo lotsatirali ligwira ntchito ngati gwero la paketi likugwirizana Host_1 OR Host_2:
| Source | Destination | Service | Action |
| ----------------------------------------|
| Host_1 | Subnet_A | HTTPS | Allow |
| Host_2 | | | |
| ----------------------------------------|
M'malo mwake, ku Kubernetes zolemba zosiyanasiyana mu podSelector kapena namespaceSelector aphatikizidwa ndi zomveka NDI.Mwachitsanzo, lamulo lotsatirali lisankha mapoto okhala ndi zilembo zonse ziwiri, role=db Π version=v2:
podSelector:
matchLabels:
role: db
version: v2Mfundo yofananayo imagwiranso ntchito kwa mitundu yonse ya ogwiritsa ntchito: osankha zolinga, osankha ma pod, ndi osankha malo.
Ma subnet ndi ma adilesi a IP (IPBlocks)
Ma firewall amagwiritsa ntchito ma VLAN, ma adilesi a IP, ndi ma subnets kuti agawane netiweki.
Ku Kubernetes, ma adilesi a IP amaperekedwa ku ma pods okha ndipo amatha kusintha pafupipafupi, chifukwa chake zilembo zimagwiritsidwa ntchito kusankha ma pod ndi malo am'malo mumadongosolo a netiweki.
Ma subnet (ipBlocks) amagwiritsidwa ntchito poyang'anira zolowera (ingress) kapena zotuluka (egress) zakunja (North-South). Mwachitsanzo, ndondomekoyi imatsegula ma pod onse kuchokera ku namespace default mwayi wopeza ntchito ya Google DNS:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-dns
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 8.8.8.8/32
ports:
- protocol: UDP
port: 53
Chosankha chopanda kanthu muchitsanzo ichi chimatanthauza "sankhani ma pod onse mumalo a mayina."
Ndondomekoyi imalola mwayi wopezeka ku 8.8.8.8; kupeza IP ina iliyonse ndikoletsedwa. Chifukwa chake, kwenikweni, mwaletsa kulowa mkati mwa Kubernetes DNS service. Ngati mukufunabe kutsegula, onetsani izi momveka bwino.
zambiri ipBlocks ΠΈ podSelectors ndizogwirizana, popeza ma adilesi a IP amkati samagwiritsidwa ntchito ipBlocks. Posonyeza mkati IP pod, mudzalola kulumikizana ku/kuchokera ku ma pods okhala ndi ma adilesi awa. M'malo mwake, simudzadziwa adilesi ya IP yomwe mungagwiritse ntchito, chifukwa chake sayenera kugwiritsidwa ntchito posankha ma pod.
Monga chitsanzo chotsutsa, mfundo zotsatirazi zikuphatikiza ma IP onse motero zimalola mwayi wopeza ma pod ena onse:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
Mutha kutsegula ma IP akunja okha, kupatula ma adilesi amkati a IP a ma pod. Mwachitsanzo, ngati subnet yanu ndi 10.16.0.0/14:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-any
namespace: default
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.16.0.0/14
Madoko ndi ma protocol
Nthawi zambiri ma pod amamvera doko limodzi. Izi zikutanthauza kuti simungatchule manambala a doko mundondomeko ndikusiya chilichonse ngati chosasintha. Komabe, tikulimbikitsidwa kupanga ndondomeko kukhala yoletsa momwe mungathere, kotero nthawi zina mutha kutchula madoko:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Dziwani kuti chosankha ports imagwira ntchito pazinthu zonse zomwe zili mu block to kapena from, yomwe ili ndi. Kuti mufotokoze madoko osiyanasiyana azinthu zosiyanasiyana, gawani ingress kapena egress m'magawo angapo ndi to kapena from ndi m'kaundula aliyense madoko anu:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default.postgres
namespace: default
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: indexer
ports: # <<<
- port: 443 # <<<
protocol: TCP # <<<
- from:
- podSelector:
matchLabels:
app: admin
ports: # <<<
- port: 80 # <<<
protocol: TCP # <<<
podSelector:
matchLabels:
app: postgres
policyTypes:
- Ingress
Ntchito yofikira padoko:
- Ngati musiya tanthauzo la doko kwathunthu (
ports), izi zikutanthauza ma protocol onse ndi madoko onse; - Ngati mwasiya tanthauzo la protocol (
protocol), izi zikutanthauza TCP; - Ngati musiya tanthauzo la doko (
port), izi zikutanthauza madoko onse.
Kuchita bwino kwambiri: Osadalira makonda osakhazikika, tchulani zomwe mukufuna mwatsatanetsatane.
Chonde dziwani kuti muyenera kugwiritsa ntchito madoko a pod, osati madoko (zambiri pandime yotsatira).
Kodi malamulo amafotokozedwa pazida kapena ntchito?
Nthawi zambiri, ma pods ku Kubernetes amalumikizana wina ndi mnzake kudzera muutumiki - chowongolera katundu chomwe chimawongolera kuchuluka kwa magalimoto omwe amayendetsa ntchitoyi. Mutha kuganiza kuti malamulo a pa intaneti amawongolera mwayi wopeza ntchito, koma izi sizili choncho. Mfundo za netiweki za Kubernetes zimagwira ntchito pamadoko, osati madoko.
Mwachitsanzo, ngati ntchito ikumvetsera ku doko 80, koma ikuwongolera magalimoto ku doko 8080 la ma pod ake, muyenera kufotokoza ndendende 8080 mu ndondomeko ya intaneti.
Njira yotereyi iyenera kuonedwa ngati yocheperako: ngati mawonekedwe amkati mwautumiki (madoko omwe ma pod amamvera) asintha, mfundo zapaintaneti ziyenera kusinthidwa.
Njira yatsopano yomanga pogwiritsa ntchito Service Mesh (mwachitsanzo, onani za Istio pansipa - pafupifupi transl.) zimakuthandizani kuthana ndi vutoli.
Kodi ndikofunikira kulembetsa onse Ingress ndi Egress?
Yankho lalifupi ndi inde, kuti pod A azilankhulana ndi pod B, ayenera kuloledwa kupanga mgwirizano wotuluka (chifukwa cha izi muyenera kukonza ndondomeko ya egress), ndipo pod B iyenera kuvomereza kugwirizana komwe kukubwera ( chifukwa cha izi, mufunika ndondomeko ya ingress).
Komabe, pochita, mutha kudalira ndondomeko yosasinthika kuti mulole kulumikizana kumbali imodzi kapena zonse ziwiri.
Ngati zina -gwero adzasankhidwa ndi mmodzi kapena angapo kupatula-andale, zoletsa zomwe zimayikidwa zidzatsimikiziridwa ndi kusagwirizana kwawo. Pankhaniyi, muyenera kulola momveka bwino kulumikizana ndi pod -kwa wolandila. Ngati pod sanasankhidwe ndi ndondomeko iliyonse, magalimoto ake otuluka (egress) amaloledwa mwachisawawa.
Mofananamo, tsogolo la pod ndiwolemba, osankhidwa ndi mmodzi kapena angapo ingress-andale, adzatsimikiziridwa ndi kusagwirizana kwawo. Pankhaniyi, muyenera kulola momveka bwino kuti alandire magalimoto kuchokera ku gwero la pod. Ngati pod sanasankhidwe ndi ndondomeko iliyonse, magalimoto onse olowa nawo amaloledwa mwachisawawa.
Onani Stateful kapena Stateless pansipa.
Mitengo
Mfundo za netiweki za Kubernetes sizingalembe kuchuluka kwa magalimoto. Izi zimapangitsa kuti zikhale zovuta kudziwa ngati ndondomeko ikugwira ntchito monga momwe ikufunira ndipo imasokoneza kwambiri kusanthula chitetezo.
Kuwongolera magalimoto kupita kuzinthu zakunja
Malamulo a netiweki a Kubernetes samakulolani kuti mutchule dzina lachidziwitso chokwanira (DNS) m'magawo a egress. Izi zimabweretsa kusokoneza kwakukulu mukayesa kuchepetsa kuchuluka kwa magalimoto kumalo opita kunja komwe kulibe adilesi ya IP yokhazikika (monga aws.com).
Kuwona kwa Policy
Zozimitsa moto zidzakuchenjezani kapena kukana kuvomereza mfundo zolakwika. Kubernetes amatsimikiziranso. Mukakhazikitsa ndondomeko ya netiweki kudzera pa kubectl, Kubernetes anganene kuti sizolondola ndikukana kuvomereza. Nthawi zina, Kubernetes atenga ndondomekoyi ndikudzaza ndi zomwe zikusowa. Atha kuwoneka pogwiritsa ntchito lamulo:
kubernetes get networkpolicy <policy-name> -o yamlKumbukirani kuti dongosolo lovomerezeka la Kubernetes silingalephereke ndipo likhoza kuphonya mitundu ina ya zolakwika.
Kuphedwa
Kubernetes samagwiritsa ntchito ndondomeko zapaintaneti palokha, koma ndi chipata cha API chomwe chimapereka katundu wowongolera ku dongosolo lomwe limatchedwa Container Networking Interface (CNI). Kukhazikitsa ndondomeko pamagulu a Kubernetes popanda kugawa CNI yoyenera ndi chimodzimodzi kupanga ndondomeko pa seva yoyang'anira zozimitsa moto popanda kuziyika paziwopsezo zamoto. Zili ndi inu kuti muwonetsetse kuti muli ndi CNI yabwino kapena, pankhani ya nsanja za Kubernetes, zokhala pamtambo. (mutha kuwona mndandanda wa omwe amapereka - pafupifupi. trans.), yambitsani ndondomeko za netiweki zomwe zingakukhazikitseni CNI.
Dziwani kuti Kubernetes sangakuchenjezeni ngati mutakhazikitsa ndondomeko ya intaneti popanda wothandizira CNI.
Wachidziwitso Kapena Wopanda State?
Ma Kubernetes CNI onse omwe ndakumana nawo ndi abwino (mwachitsanzo, Calico amagwiritsa ntchito Linux contrack). Izi zimathandiza kuti pod ilandire mayankho pa kulumikizana kwa TCP komwe kudayambitsa popanda kuyikhazikitsanso. Komabe, sindikudziwa muyezo wa Kubernetes womwe ungatsimikizire kukhazikika.
Advanced Security Policy Management
Nazi njira zina zopititsira patsogolo chitetezo ku Kubernetes:
- Zomangamanga za Service Mesh zimagwiritsa ntchito zotengera zam'mbali kuti zipereke mwatsatanetsatane telemetry ndi kuwongolera magalimoto pamlingo wantchito. Chitsanzo tingatenge .
- Ena mwa mavenda a CNI awonjezera zida zawo kuti apitirire ma network a Kubernetes.
- Amapereka mawonekedwe ndi automation ya Kubernetes network policy.
Phukusi la Tufin Orca limayang'anira mfundo za netiweki za Kubernetes (ndipo ndiye gwero lazithunzi pamwambapa).
zina zambiri
- ;
- ;
- ;
- .
Pomaliza
Ndondomeko za netiweki za Kubernetes zimapereka zida zabwino zogawira magulu, koma sizowoneka bwino komanso zili ndi zidziwitso zambiri. Chifukwa cha zovuta izi, ndikukhulupirira kuti mfundo zambiri zamagulu zomwe zilipo ndizovuta. Njira zothetsera vutoli ndikuphatikiza matanthauzidwe a mfundo kapena kugwiritsa ntchito zida zina zamagawo.
Ndikukhulupirira kuti bukhuli likuthandizani kuyankha mafunso ena ndikuthetsa mavuto omwe mungakumane nawo.
PS kuchokera kwa womasulira
Werenganinso pa blog yathu:
- "Kubwerera ku microservices ndi Istio": , , ;
- "An Illustrated Guide to Networking in Kubernetes": , ;
- Β«";
- Β«";
- Β«".
Source: www.habr.com